Trying to establish a S2S VPN connection from FTD to Azure. The connection is up and the encrypted and decrypted packet count keeps increasing, but the Azure side is not receiving traffic. Packet trace shows its hitting the IPSec ACL and hitting the right NAT exempt rule. Packet capture on the inside interface shows the traffic coming in from Azure side and return traffic from the protected server address. The only weird thing is when doing a packet capture on the outside interface I can see interesting traffic being sent on the outside interface with Azure side destination address and Outside interface as the source. Should I be seeing that if the traffic is going through the tunnel?
encrypt <<- meaning your traffic is pass the interface you config crypto map under it
decrypt <<- meaning your FTD success receive the traffic from Azure and IPsec success handle these traffic
are you see both encrypt and decrypt under same IPsec SA ? i.e. under the same IPsec toward remote Peer Azure are you see encrypt and decrypt count increase ?
then check if there is FW Infront of your FTD that drop the packet
check if the traffic gone to wrong Peer
I am seeing encrypt and decrypt under the correct IPSec SA and there is no firewall past the FTD.
Should I be seeing traffic originating from the outside Interface to the Azure server that is meant to be encrypted? I have never checked it before but I would think that I should not be able to see it if it’s getting encrypted.